Attorneys offer their perspective on the privacy and compliance issues faced by the technology and how it squares, or not, with laws such as HIPAA and GDPR.
As we’ve been showing in our Focus on Blockchain, by offering immutable distributed ledger network for the sharing of sensitive data, blockchain is particularly well-suited for an array of healthcare uses cases.
“A lot of people look at blockchain as a silver bullet for all kinds of problems, but I think healthcare is actually one of them where it makes sense,” said (aptly named?) Edward Block, an attorney focused on technology and security at Austin-based Foley Gardere.
“I think it provides a lot of control over what happens with patient information,” said Block, who previously served as chief information security officer for the State of Texas. “The idea that I have to go pay doctors to make copies of my medical records is crazy. Having all my data in a usable and portable format is a great use of this technology.”
But that promise comes with a lot of questions: confusion about how the technology should be deployed, uncertainty about how it might jibe with existing infrastructure and workflows and, particularly, some debate about how blockchain fits with state, national and international privacy laws such as HIPAA, EU’s General Data Protection Regulation, and the GDPR-like California Consumer Privacy Act, which was passed by the state this past summer.
In some ways, blockchain may be well-suited to compliance with each of these laws.
“Under GDPR, there is a burden to protect health records that’s not too different from HIPAA,” said Foley Gardere attorney Peter Vogel (who’s also a coder with a CS degree and focuses his practice on issues related to IT and the internet). “This may give some of the privacy advocates pause for thought that this may be a better means to protect it than using the traditional standard technology that’s out there.”
But there are lingering questions, for instance, about just how HIPAA compliant blockchain might be. Same goes for how it might comport with the still-recent GDPR regs. We’ve spoken to other attorneys who think existing privacy laws might have to be rethought somewhat in order to square with blockchain’s many applications.
“It has a lot of good applications, but we have so much to do” from a regulatory standpoint, Pepper Hamilton Partner Sharon Klein told us in 2017. For instance, she said, “HIPAA contains a ‘patient bill of rights.’ So if I, as the patient, want to go see my healthcare records, I just raise my hand and you’ve got to give them to me. How’s that going to work with blockchain?”
Similarly, consider GDPR’s so-called “right to be forgotten,” Eddie Block points out. “How do you ‘forget’ something on a supposedly immutable blockchain?” he said. “There are big challenges that need to be worked through.”
For example, one of the principles of good data security is the CIA Triad, Block explains: confidentiality, integrity and availability.
Blockchain’s distributed and tamper-proof nature “goes a long way toward solving the availability and integrity aspects, but it doesn’t do a whole lot with confidentiality,” he said.
“So there’s got to be additional footwork on the confidentiality side: The fact that an individual could have a single record of all of their medical history, in this sort of immutable and distributed manner, makes for great availability and integrity. But the fact that you would need multiple different parties to be able to access that in a meaningful way, makes the confidentiality challenges at the forefront of the issue.”
Lack of clarity on compliance
So is blockchain HIPAA compliant? Right now there are some doubts. As Masur Griffiths attorney Sarah Siege noted in a recent blog post, “HIPAA prohibits the use of mathematically-derived encryption of protected health information because the encrypted information can potentially be re-identifiable. This strict regulation would seemingly render the use of blockchain in the healthcare industry non-compliant with HIPAA.”
At the same time, Siegel suggested, the emerging technology could offer an opportunity to help rethink some aspects of the the 22-year-old privacy regulation – a larger idea that appears to be potentially gaining momentum in Washington.
For their part, the Foley Gardere attorneys take a nuanced view on blockchain’s conformity with existing privacy law.
“The answer is yes and no,” said Vogel.
“It comes down to the implementation,” said Block.
“If it is immutable, and it’s a distributed database, that’s probably a better form of protection than what we have now,” Vogel explained, “But one of the things I’ve always been skeptical of, and I guess time will tell, is the base technology for blockchain is open? It’s always given me the heebie-jeebies a little bit that we’re relying on open source stuff as a baseline because we don’t know who may or may not be building backdoors or viruses, already built into things.”
And with regard to laws like GDPR and its new California cousin, CCPA, there’s “a whole series of challenges,” said Block.
“Some of the issues right now, on the cryptocurrency side of blockchain, for example, focus on who is the controller, versus the processor. Those will probably be clearer answers in the healthcare space. But there’s still room for that confusion: who is the controller of the blockchain? And what are their responsibilities versus a processor? And I’d hate to even get into the subprocessor issues.”
“If a controller is only allowed to retain data for a period of time, and only for lawfully valid reasons, where does that square with a blockchain that continues to grow over time and people may not fall off?” said Vogel. “There are definitely some open questions, I think.”
Add to the confusion the fact that “we have different regulations from different governments, not just in the U.S. and the EU but all over the world,” he said. “Are they in conflict with one another? Sometimes yes and sometimes no. Because of how the laws were written, and how they apply in different countries and the fact that we don’t have international borders when it comes to the internet. And do lawmakers get it? And has that set it up for blockchain to either work or not work?”
Block added that many technologies struggle with the same issue, which is essentially that the regulators and the developers and innovators on the leading-edge are rarely on the same page.
“It takes them time to figure that out,” Block added. “In certain states it can take two, three, four years to put a regulation in place, which can take a lifetime in the technology world.”
Advice for those who start blockchain projects
In the meantime, in the absence of some more concrete guidance, many people in healthcare and other industries are taking something of a wait-and-see approach.
“We don’t know what the courts are going to do,” said Vogel. “We have no clue. And until we start getting some rulings from courts, it’s kind of perplexing.”
Vogel recommended that, as a general rule, the laws of other countries may or may not apply on the internet.
“There have been cases all over the world that seem to indicate the law in other countries doesn’t apply. But I would think, from an IT leadership standpoint, my clients, some of them are very aggressive about wanting to be in total compliance with GDPR. They bend over backwards to try to protect their healthcare data.”
Block had some further advice for healthcare organizations too.
“If they’re going to move forward with a pilot of blockchain – or any project involving PHI or PII – make sure they’ve made the good faith effort to protect the data,” Block said. “The challenge is going to be the folks that call me after they’ve already done it.”